U.S.-based Compex Legal Services Inc, popularly known as Compex, has notified its clients that it has fallen victim to a cyberattack this year.
The Compex data breach reportedly took place in April 2024. In a press communication shared on July 24, the company said that it “recently discovered an incident that may have impacted the privacy of information related to certain individuals.” Compromised information could include health information and Social Security numbers, among other personal data.
Compex, founded in 1972, bills itself as the industry leader in record retrieval, record summarization, claims insights, and court reporting, serving more than 500 insurance companies and 4,000 law firms from its 36 U.S. offices.
The company, headquartered in Torrance, California, has around 1,000 employees and 332 associated members. Its specialty is speeding insurance claims through records retrieval and analysis.
Compex Data Breach Explained
In an ongoing internal investigation into the data breach, Compex shared that on April 17, it discovered suspicious activity on its network and promptly launched an investigation. The legal firm enlisted the assistance of third-party cybersecurity specialists to determine the nature and scope of the activity.
The investigation determined that Compex’s network was subject to unauthorized access starting on April 9, 2024, and that certain files were acquired by an unknown actor while on the network.
Compex said it is working towards notifying impacted individuals directly.
“Therefore, Compex is conducting a comprehensive review of the data determined to be at risk to assess what sensitive information is contained therein and to whom the information relates. Once this review is complete, Compex plans to mail notification letters directly to potentially impacted individuals for whom it has a valid mailing address. These letters will include resources that individuals can reference to further protect their information,” the company said.
“Compex is providing information about the event, its response, and steps potentially impacted individuals can take to better protect against the possible misuse of their information should they feel it is appropriate to do so,” the company said.
Sharing inputs on what sensitive customer data could be breached, Compex said that names of individuals, their date of birth, Social Security number, medical diagnosis and treatment information, medical record number and health insurance information could be exposed by the threat actor.
Compex has asked potentially affected individuals to remain vigilant against incidents of identity theft by reviewing their account statements and to share explanation of benefits for unusual activity with the firm.
Cyberattacks on Law Firms, Courts Grow
Several small and large law firms, as well as legal tech companies and court systems in the U.S., were hit by data breaches last year. Some of these cyberattacks resulting in litigation — and cyberattacks have continued into 2024.
Earlier this week, the Superior Court of Los Angeles County, the largest superior court system in the U.S., was forced to shut down following a ransomware attack. All the 36 courts in the L.A. County court system were closed on Monday and reopened the next day. However many services such as electronic filing, remote appearances in civil, probate, family law and traffic cases, were badly affected through the week.
While no threat actor group publicly claimed responsibility for the attack, the court received support from the California Governor’s Office of Emergency Services (CALOES) and local, state and federal law enforcement, which ensured that no user data was compromised.